MS08-067 exploit in wild (Oct 23, 2008)

/in /by

Today SonicWALL UTM Research team received samples using the newly patched MS08-067 – Windows Server Service vulnerability. We have received at least 10 distinct copies of this exploit malware. Filenames were n[x].exe (where [x]=1 or 2 or 3).

The malware is 397,312 bytes in size. When executed, it drops following malicious file in the system folder:

  • sysmgr.dll

It starts a service as “sysmgr (System Maintenance Service)” and deletes the original copy of the malware from the folder where it was executed.

It tries to communicate with following domains over HTTP:

  • summertime.1gokurimu.com
  • doradora.atzend.com
  • perlbody.t35.com
  • 59.106.145.58

The trojan generates a URL based on the operating system and antivirus information, in the following format: IPADDRESS/test2.php?abc=A?def=B

Where A is numeric and represents an associated type of antivirus application and B is also numeric and defines the operating system. The two values vary depending on the host computer.

It also performs following registry modifications:

  • Creates key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Sets value “ServiceDll”=”C:WINDOWSSYSTEM32wbemsysmgr.dll” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Sets value “ServiceMain”=”ServiceMainFunc” in key “HKLMSystemCurrentControlSetServicessysmgrParameters”.
  • Creates key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
  • Sets value “sysmgr”=”sysmgr” in key “HKLMSoftwareMicrosoftWindows NTCurrentVersionSvcHost”.
  • Sets value “I”=”” in key “HKLMSystemCurrentControlSetServicessysmgr”.
  • Sets value “DisplayName”=”System Maintenance Service” in key “HKLMSystemCurrentControlSetServicessysmgr”.

This malware has a very low detection at the time of this writing: Win32/Gimmiv.A [Microsoft], Generic Dropper [McAfee], Mal/Generic-A [Sophos].

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: MS08-067 (Exploit) signature.

SonicWALL has also released generic IPS signatures that will detect and prevent attacks targetting this vulnerability. Please to refer to MS08-067 Server Service Buffer Overflow (Oct 23, 2008) for a detailed description of the vulnerability.

New statement spam (Oct 17, 2008)

/in /by

SonicWALL UTM Research team observed a new wave of the on-going Statement document spam campaign starting today Friday, October 17, 2008. The email has a zip archived attachment which contains the new Trojan variant.

The e-mail contains following attachment:

Attachment: Statement_01-10.zip (contains Statement_01-10.doc [WHITESPACES] .exe – UPX packed)

The Trojan when executed drops following malicious files in the system folder:

  • rs32net.exe (copy of itself)

It also creates the following Registry keys to ensure that rs32net.exe gets executed automatically on system startup:

  • HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunrs32net = “(SYSTEM FOLDER PATH)rs32net.exe”

It then starts the rs32net.exe process and deletes the original copy of the file from the folder where it was executed.

The Trojan tries to send a HTTP GET request

  • GET /40E80008F04FCE3BCEE24D126C000001DD6600000002760000015EEB000530829EA5AC HTTP/1.0

to following IP addresses:

  • 208.66.194.240
  • 216.195.55.50
  • 216.195.56.22
  • 209.66.122.238
  • 91.203.92.7
  • 208.66.195.15
  • 208.66.195.71

The Trojan has a very low detection at the time of writing this report.

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.AGWR (Trojan) signature.

MS Windows IPP Buffer Overflow (Oct 17, 2008)

/in /by

The Internet Printing Protocol (IPP) is a standard network protocol for managing remote printing. IPP is built on HTTP/1.1 and supports access control, encryption and authentication. The Microsoft IPP implementation consists of an ISAPI extension for Internet Information Service (IIS). Client hosts send IPP requests to the MS IPP service by accessing the “/printers” HTTP directory through IIS. The server replies to these request with an HTML page containing the list of all currently configured printers on the server. The IPP service can be used to query a specific printer on the remote host as well. The following HTTP request is shown as an example:

POST /printers/~5c~5c10~2e0~2e0~2e10~5cdummy/.printer HTTP/1.1
Content-Type: application/ipp

In the above example, the printer is instructed to send an IPP query to a remote SMB printer \10.0.0.10dummy Upon receiving such a request, the IPP service will translate it into SPOOLSS RPC request and redirect it to the given printer. Windows defines a Remote Procedure Call (RPC) interface for the server-side spooler Win32 API. This RPC interface can be accessed via the named pipe “spoolss” with UUID “12345678-1234-abcd-ef00-0123456789ab”.

To service the IPP request, the server will establish an SMB connection to the requested printer and send the IPP request translated into RPC function. The RPC reply is then translated into HTTP/IPP reply and sent back to the original requester in the same HTTP session.

One of IPP requests is the Get-Jobs request with operation-id 0x000a. This request translates into the EnumJobs RPC function, its purpose is to enumerate the list of print jobs currently managed by the chosen printer. The function’s prototype is shown below:

BOOL EnumJobs(
  HANDLE hPrinter, // handle to printer object
  DWORD FirstJob, // index of first job
  DWORD NoJobs, // number of jobs to enumerate
  DWORD Level, // information level
  LPBYTE pJob, // job information buffer
  DWORD cbBuf, // size of job information buffer
  LPDWORD pcbNeeded, // bytes received or required
  LPDWORD pcReturned // number of jobs received
);

Normally, the function is called twice. First, the caller specifies an empty buffer cbBuf=0 and the spooler replies with pcbNeeded set to the size of the buffer required to store the request. The caller will then repeat the request setting cbBuf to the required size.

A buffer overrun vulnerability exits within the IPP implementation on Windows servers running IIS. The flaw may be exploited by remote authenticated attackers by sending a crafted Get-Jobs IPP request to the target server. Specifically, the attacker will send the Get-Jobs IPP with the IP address and printer name of an attacker-controlled print server. The attacker’s print server will reply to the SMB/RPC requests from the target, waiting for the EnumJobs RPC function call. The reply from the attacker to the EnumJobs call will provide incorrect cbBuf and pcbNeeded values such that when these values are added by the vulnerable IPP server, the sum will overflow a 32-bit integer. The IPP server will allocate memory based on this sum which will be smaller than the size of the pJob string, and this buffer will be overwritten by the received pJob.

Successful exploitation of this vulnerability may allow for arbitrary code injection and execution with the privileges of the ISS server process. Code injection that does not result in execution could terminate the affected process due to memory corruption.

SonicWALL has released an IPS signature that will detect and prevent known exploits of this flaw. The following signature addresses this vulnerability:

  • 5274 – MS Windows Internet Printing Service Integer Overflow PoC (MS08-062)

This vulnerability has been assigned CVE-2008-1446 and has been described in the Microsoft security bulletin MS08-062

SQL Injection Attack Summary (Oct 10, 2008)

/in /by

The SQL Injection Attack is not new to the SonicWALL customers, but it is still popular. An article about it was released by SonicWALL UTM team two months ago. In that article, we have explained the details of this type of attacking. Also, we provided statistics data about the attacks around that time.

During the past two months, there are more SQL Injection Attack waves happened. The following figure shows the hits statistics of all the SQL Injection related signatures from June 2008 on. And it indicates there were three waves of attacks, and two of them happened in August 2008.

To provide more protection to the SonicWALL customers from being affected by the SQL Injection Attacks, the SonicWALL UTM team re-classified the SQL related signatures, and created a new category called SQL-Injection. There are 36 signatures re-classified into the new category. The detailed signature names can be found here. With this new category, the customers can easily manage the SQL Injection related signatures, no matter the signatures are in low or high priority.

Note that the figure is more accurate than the one from the last article because it shows all the 36 SQL Injection signatures instead of 11 signatures for the last time.

Angelina Jolie video spam (Oct 6, 2008)

/in /by

SonicWALL UTM Research team observed a new wave of the on-going Angelina Jolie video spam campaign starting on Monday, October 6, 2008. The email has a zip archived attachment which contains the new Downloader Trojan variant.

SonicWALL has received more than 60,000 e-mail copies of this malware till date. The e-mail looks like following:

Attachment: video.zip (contains video.exe – UPX packed)

Subject: Angelina Jolie Free Video

Email Body:
————————
New sex scandal, Angelina Jolie porn watch in attached file
————————

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • vbagz.sys

It also creates the following Registry keys to ensure that gzipmod.dll is installed as a Winlogon notification package:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

The Trojan includes a backdoor component that listens on TCP port 6051 & 6052. It also tries to resolve the following domains and subsequently sends HTTP requests to them:

  • sargej-grienko.com
  • ulm-haafeulm-haa.com
  • art8005.com

The Trojan is also known as Trojan.Spy.Goldun.NDU [BitDefender], Win32/Spy.Goldun.NDN trojan [ESET], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provides protection against this malware via GAV: Agent.XQL (Trojan) signature.

Openwsman HTTP Basic Auth Overflow (Sep 25, 2008)

/in /by

Web Services Management (WS-Management) is a specification of a SOAP-based protocol for the management of servers, devices, applications and more. Openwsman, maintained by Intel’s Open-Source Technology Center, is a project intended to provide an open-source implementation of the WS-Management and to expose system management information on the Linux operating system.

The openwsman 2.0.0 management service is vulnerable to remote buffer overflow attacks. One of authorization schemes supported by Openwsman is the Basic HTTP authentication. An example of such a request follows:

POST / HTTP/1.1
Host: www.example.com
Authorization: Basic dnJ0OmZvb2Jhcg==

Openwsman decodes and stores the authorization credential to a stack based buffer without performing boundary checks. The buffer has a static size of 4096 bytes. By sending HTTP requests with specially crafted Authorization header value (longer than 5462 bytes), a user without valid login credentials could trigger the buffer overflow. Successful exploitation could lead to execution of arbitrary code on the vulnerable system with the privilege of the openwsman server process.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 2060 Openwsman HTTP Basic Authentication BO Attempt

ICS Monitoring Team spam (Sep 29, 2008)

/in /by

SonicWALL UTM Research team observed a new spam campaign starting on Friday, September 27, 2008 which involves a fake notification e-mail pretending to be arriving from ICS Monitoring Team. The email has a zip archived attachment which contains the new Downloader Trojan.

SonicWALL has received more than 40,000 e-mail copies of this malware so far. The e-mail looks like following:

Attachment: user-EA49943X-activities.zip (contains user-EA49943X-activities.exe)

Subject: Your internet access is going to get suspended

Email Body:
————————
Your internet access is going to get suspended

The Internet Service Provider Consorcium was made to protect the rights of software authors, artists. We conduct regular wiretapping on our networks, to monitor criminal acts.

We are aware of your illegal activities on the internet wich were originating from

You can check the report of your activities in the past 6 month that we have attached. We strongly advise you to stop your activities regarding the illegal downloading of copyrighted material of your internet access will be suspended.

Sincerely ICS Monitoring Team
————————

The Trojan when executed drops following malicious files in the system folder:

  • gzipmod.dll
  • tremir.bin
  • vbagz.sys

It also creates the following Registry keys:

  • HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotifygzipmod
  • HKLMSYSTEMControlSet001ControlSafeBootMinimalkteproc.sys
  • HKLMSYSTEMControlSet001ControlSafeBootNetworkkteproc.sys

It also tries resolve the following domains and subsequently sends HTTP requests to them:

  • ulm-haafeulm-haa.com
  • art8005.com

The Trojan is also known as Trojan-Dropper.Win32.Agent.xgg [Kaspersky], W32/Downldr2.DVJA [F-Prot], and TR/Crypt.XPACK.Gen [AntiVir]

SonicWALL Gateway AntiVirus provided protection against this malware via GAV: Goldun.AZM (Trojan) signature [159,053 hits recorded].

screenshot

RealWin DATAC Control Buffer Overflow (Oct 1, 2008)

/in /by

RealWin is a SCADA server product that monitors and controls a industrial, infrastructure or facility based process in a computer system. A SCADA System usually consists of a Human-Machine Interface, a supervisory system and a Remote Terminal Units. RealWin, as a SCADA system, can read and maintain data returned from field devices using drivers, store data for historical access, run CSL (Command Sequence Language) scripts and generate alarms as defined in the system.

There is a stack-based buffer overflow vulnerability in DATAC Control RealWin SCADA System server product 2.0 and prior. The vulnerability is due to a boundary error while parsing a crafted value in a FC_INFOTAG/SET_CONTROL packet.

A remote, unauthenticated attacker could exploit this vulnerability by sending a specially crafted FC_INFOTAG_SET_CONTROL packet. Successful exploitation would allow for arbitrary code injection and execution with the privileges of the affected service, or terminate the application resulting in a Denial of Service condition.

SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature to address this vulnerability is:

  • 1134 RealWin Server Crafted FC_INFOTAG/SET_CONTROL Packet BO Attempt

    • Important Document (doc.zip) spam (Sep 23, 2008)

    /in /by

    SonicWALL UTM Research team observed a new spam campaign starting on Monday, September 22, 2008 which involves a fake e-mail claiming to have an important document.

    SonicWALL has received 4,500 e-mail copies of this malware so far. The e-mail looks like following:

    Attachment: doc.zip (contains doc.exe) -> password protected

    Subject: Important document for X (where X = random alphanumeric string)

    Email Body:
    ————————
    Hello X, the document is attached. Pass 123.
    ————————

    The email attachment contains zipped malware executable which is a new Downloader Trojan. The Trojan when executed drops the following files on the system:

    • c:2.tmp
    • c:3.tmp
    • c:4.tmp
    • c:5.tmp
    • c:6.tmp
    • c:7.tmp

    It also tries to download other malware by sending following GET requests:

    • hxxp://79.135.XX.18/cgi-bin/index.cgi?user5
    • hxxp://79.135.XX.18/scan.exe
    • hxxp://79.135.XX.18/s.exe
    • hxxp://79.135.XX.18/l.exe
    • hxxp://79.135.XX.18/ftp.exe

    The Trojan is also known as TrojanDownloader:Win32/Chepvil.H [Microsoft], W32/Trojan3.AN [F-Prot], and TR/Dropper.Gen [AntiVir]

    SonicWALL provides protection against password protected zip file via GAV: Password-protected ZIP file signature. It is highly recommend to turn on “Restrict Transfer of password-protected ZIP files” option in Gateway Anti-Virus settings to turn the signature on.

    SonicWALL has also released a signature to detect the new Downloader Trojan:Agent.AHKV (Trojan)

    IBM DB2 XML Query Buffer Overflow (Sep 19, 2008)

    /in /by

    A remotely exploitable vulnerability has been reported in the IBM DB2 Database product. The DB2 product consists of a set of separate services that provide data processing functions. The main database engine process is contained in the binary executable db2syscs.exe on Windows based installations.

    The DB2 database has unique facilities to store and manage data in XML format. Quering and manipulation of XML data objects is performed with the help of the XQuery query language. DB2 supports a set of functions that can resolve XQuery expressions to facilitate XML data management.

    One of such XQuery functions is XMLQUERY. Given an XQuery expression as its argument, this function returns an XML value from the database. The syntax of XMLQUERY is described as follows:

    XMLQUERY(xquery-expression-constant [PASSING xquery-argument AS identifier] )

    Where xquery-expression-constant is an SQL character string that is interpreted as an XQuery expression. A practical use example of the function is shown:

    SELECT XMLQuery(’$PORDER/PurchaseOrder/item/name’) FROM purchaseorder

    A stack buffer overflow vulnerability exists during the processing of the XMLQUERY function. The vulnerability is a result of insufficient boundary checks on the xquery-expression-constant string passed to the affected function. The vulnerable code does not properly validate the length of this parameter before making an internal copy of it to a limited buffer on the stack. This has been shown to result in overwriting of critical memory locations in cases where the string argument is overly long.

    A remote authenticated attacker with limited privileges could exploit this vulnerability by passing a specially crafted argument to the XMLQUERY function in a SQL statement. Successful exploitation of this flaw may allow the attacker to inject and execute arbitrary code in the context of the affected service, normally the Administrative account.

    SonicWALL has released a generic IPS signature that will detect and prevent attacks targeting this vulnerability. The signature released to address this vulnerability is:

    • 5244 IBM DB2 Universal Database XMLQuery BO Attempt